Re: [Snort-users] Re: [Snort-announce] Snort 2.0 rc1 available

From: Bennett Todd <bet(at)rahul.net>
Date: Thu Mar 27 2003 - 12:13:28 EST

2003-03-27T02:34:48 Mahdi Kefayati:
> One of the things I have been looking for in snort is logging the
> URI which has caused a rule to be trigered.

If I wanted to accomplish that, I'd try combining snort's pcap logging, with the urlsnarf program from Dug Song's dsniff.

A quick peek at the man page of the urlsnarf I've got installed on my system reveals on -r option for reading a pcap file, so that might have to be hacked in.

Another approach might be to just hit the pcap file with ngrep, and yank the URL out of that with a simple perl invocation.

These all assume that the pcap file ends up containing the request uri, that would in turn depend on details of the rule; if the rule only fires on a later packet, e.g. in a method=post body, the header with the request URI will be long gone by the time the rule fires, and the only way to do such processing will be to keep full capture files of all traffic, and retroactively search them when a rule fires.

-Bennett

---

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-usersReceived on Thu Mar 27 12:48:08 2003